// This lines should be run with the user
DoImpersonation();
CallComComponent();
UndoImpersonation();
}

THE PROBLEM IS:
i need the first lines to run with a differnet user. i dont want to use
2 impersonations.
i want all the other parts - which are not in the impersonation scope -
to run with a user ill configure in IIS (NOT "network service"!)

tried the following:
1 - configure the webservice to run as anonymous access, with a certain
user. but then Impersonate() doesnt work (exception - cant impersonate
with an anonymous user).

2 - configure the webservice as windows-integrated security. now i
want to decide which user will run the "default lines". so the only way
i see - is create an application pool with identity=MyDefaultUser.
when doing this, i get an http 401 error (unauthorized) if i try to
call the web service. the only user which works is if i call the
webservice with MyDefaultUser.

I DO set the credentials for the webservice (defaultCredentials) - so
thats not the problem.

Advertisements

set the AppPool identity to whatever you want your app to run under (add
this account to the IIS_WPG local group)
You have to enable Windows integrated auth and disable anonymous access in
IIS
enable Windows authentication in ASP.NET <authentication mode="Windows" />
the clients need read DACLS on the asmx files.

this should do it.
---------------------------------------
Dominick Baier - DevelopMentorhttp://www.leastprivilege.com
> Hello,
>
> I'm writing a web method which calls a COM+ method, which I need to
> call with the user that logged on to windows and invoked the WebMethod
> (impersonation).
>
> Simple impersonation works (impersonte=true in web.config) - however,
> i need that only a certain part of the code will run in this context.
> For other parts, i need different grant opions.
>
> So that where code-impersonation comes in (using
> HttpContext.Current.User.Indetity and calling Impersonate()).
> For example:
>
> [WebMethod]
> public void ConfusedMethod()
> {
> // This lines will need some powerful grants
> WriteSomethingToEventLog();
> OpenFileInSystemDirectory();
> // This lines should be run with the user
> DoImpersonation();
> CallComComponent();
> UndoImpersonation();
> }
> THE PROBLEM IS:
> i need the first lines to run with a differnet user. i dont want to
> use
> 2 impersonations.
> i want all the other parts - which are not in the impersonation scope
> -
> to run with a user ill configure in IIS (NOT "network service"!)
> tried the following:
> 1 - configure the webservice to run as anonymous access, with a
> certain
> user. but then Impersonate() doesnt work (exception - cant impersonate
> with an anonymous user).
> 2 - configure the webservice as windows-integrated security. now i
> want to decide which user will run the "default lines". so the only
> way
> i see - is create an application pool with identity=MyDefaultUser.
> when doing this, i get an http 401 error (unauthorized) if i try to
> call the web service. the only user which works is if i call the
> webservice with MyDefaultUser.
> I DO set the credentials for the webservice (defaultCredentials) - so
> thats not the problem.
>
> whats the correct way to accomplish that?
>

Advertisements

Guest

hi & thanks for the quick reply.

your suggestion is exactly the same as my #2 attempt to solve the
problem (mentioned above).
the situation now is exactly as you mentioned.
the new info you've added is about DACLs. i dont exactly know what you
meant, but i tried adding read permissions through windows file system
(is that what you meant?) to the user & nada.

btw - if i open myService.asmx from the local computer it works with no
problem (because im logged as the same user that runs the apppool).
if i open myService.asmx from a remote computer - i get prompted to
enter user & pass, and nothing passes through, even if i enter the
apppool user & its password.

---------------------------------------
Dominick Baier - DevelopMentorhttp://www.leastprivilege.com
> hi & thanks for the quick reply.
>
> your suggestion is exactly the same as my #2 attempt to solve the
> problem (mentioned above).
> the situation now is exactly as you mentioned.
> the new info you've added is about DACLs. i dont exactly know what you
> meant, but i tried adding read permissions through windows file system
> (is that what you meant?) to the user & nada.
> btw - if i open myService.asmx from the local computer it works with
> no
> problem (because im logged as the same user that runs the apppool).
> if i open myService.asmx from a remote computer - i get prompted to
> enter user & pass, and nothing passes through, even if i enter the
> apppool user & its password.
> any ideas?
>

Hello,
If i understood your problem exactly, my advice u to impersonate your com+
component not ASP.NET or IIS. To accomplish this u must register your com+
component under a com+ application that is configured to run as a server
application(or you can modify IIS application protection level). Impersonate
this com+ application. Add read&execute rights for the physical dll for
ASPNET user and give directory listing rights on that hard drive...

This is the easiest way to do this. But it might has some security risks i
am not sure.. Be careful on this scenario. "Anyone who can call your com+
component will have impersonated user's rights and permissions.. "

<> wrote in message
news:...
> hi & thanks for the quick reply.
>
> your suggestion is exactly the same as my #2 attempt to solve the
> problem (mentioned above).
> the situation now is exactly as you mentioned.
> the new info you've added is about DACLs. i dont exactly know what you
> meant, but i tried adding read permissions through windows file system
> (is that what you meant?) to the user & nada.
>
> btw - if i open myService.asmx from the local computer it works with no
> problem (because im logged as the same user that runs the apppool).
> if i open myService.asmx from a remote computer - i get prompted to
> enter user & pass, and nothing passes through, even if i enter the
> apppool user & its password.
>
>
> any ideas?
>

Share This Page

Welcome to The Coding Forums!

Welcome to the Coding Forums, the place to chat about anything related to programming and coding languages.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to ask questions about coding or chat with the community and help others.
Sign up now!